Skip to content
Tests

Add allowGitCommonDir support for linked Git worktrees #540

Sign in to view logs

Add allowGitCommonDir support for linked Git worktrees

Add allowGitCommonDir support for linked Git worktrees #540

Workflow file for this run

.github/workflows/integration-tests.yml at 1253343
name: Tests
on:
push:
branches: ['main']
pull_request:
branches: ['**']
jobs:
integration-tests:
name: Tests (${{ matrix.os }} / ${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- arch: x86-64
runner: ubuntu-latest
os: linux
- arch: arm64
runner: ubuntu-24.04-arm
os: linux
- arch: x86-64
runner: macos-15-large
os: macos
- arch: arm64
runner: macos-14
os: macos
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.1
- name: Install system dependencies (Linux)
if: matrix.os == 'linux'
run: |
sudo apt-get update
sudo apt-get install -y bubblewrap libseccomp-dev gcc socat ripgrep apparmor-profiles zsh
- name: Enable unprivileged user namespaces (Linux)
if: matrix.os == 'linux'
run: |
# Ubuntu 24.04+ sets kernel.apparmor_restrict_unprivileged_userns=1 which
# allows unshare(CLONE_NEWUSER) but grants the new namespace zero
# capabilities. Disable it so bwrap and apply-seccomp can nest
# namespaces without needing setuid.
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
# Verify bwrap can create namespaces
echo "Testing bwrap namespace creation..."
bwrap --ro-bind / / --unshare-net true && echo "✓ bwrap namespace creation works" || echo "✗ bwrap namespace creation still fails"
- name: Install system dependencies (macOS)
if: matrix.os == 'macos'
run: |
brew install ripgrep zsh
- name: Install Node dependencies
run: npm install
- name: Build seccomp binaries (Linux)
if: matrix.os == 'linux'
run: npm run build:seccomp
- name: Build project
run: npm run build
- name: Run tests
run: npm test
- name: Run Node.js fallback tests
run: node test/utils/which-node-test.mjs
- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.os }}-${{ matrix.arch }}
path: |
test-results/
*.log
if-no-files-found: ignore
docker-tests:
name: Tests (docker / ${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- arch: x86-64
runner: ubuntu-latest
- arch: arm64
runner: ubuntu-24.04-arm
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Enable unprivileged user namespaces on host
run: |
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
sudo sysctl -w kernel.unprivileged_userns_clone=1 || true
- name: Run srt end-to-end in unprivileged container
run: |
docker run --rm \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
-v "${{ github.workspace }}:/work" \
-w /work \
-e SRT_E2E_DOCKER=1 \
ubuntu:24.04 \
bash -euo pipefail -c '
apt-get update -qq
apt-get install -y -qq bubblewrap socat ripgrep python3 curl ca-certificates unzip gcc libseccomp-dev
curl -fsSL https://bun.sh/install | bash
export PATH="$HOME/.bun/bin:$PATH"
curl -fsSL https://deb.nodesource.com/setup_18.x | bash -
apt-get install -y -qq nodejs
npm ci
npm run build:seccomp
npm run build
bun test test/docker-weak-sandbox.test.ts
'